GDPR in marketing: your questions answered!

This month we attended the ExecLN GDPR and ePrivacy conference at the Madejski Stadium to learn more about their impact on digital marketing. The ePrivacy Regulation will build on top of GDPR to extend to marketing over electronic channels, such as email marketing, cookies, online tracking technologies and so on. Though it was initially planned to come into force the same day as GDPR, it looks as though it may be a couple of years off yet. So, what guidance do we have? Luckily lawyers and experts were on hand to shed some insight with learnings from GDPR as well as the latest ePrivacy draft.

What’s the deal with all the cookie consent banner chaos?

Currently you don’t need to obtain consent for cookies which are strictly necessary for the function of your website or whose sole purpose is transmission. Any other cookies require consent. However Elliot Cranmer from One Trust shared his predictions for the new ePrivacy regulations and says it’s looking likely that further exemptions will be made, including tracking technologies such as Google Analytics. This will be welcome news for website owners simply wishing to gather anonymous statistics to monitor their website’s performance without damaging the usability of their site with annoying consent pop-ups.

Types of cookie notices

The responsibility of obtaining consent may also be shifted from website publishers and service providers to the browsers and/or operating system providers, requiring them to offer tracking consent options in their settings. Another relief for users facing endless pop-ups to be able to control their consent in one central place. However it’s unclear how this would work in practice. For instance how do you ensure consistency across all browsers or operating systems and how can they get a GDPR standard consent upfront?

Online advertising currently relies heavily on tracking activities, shopping behaviours etc. to make their ads relevant and targeted. This allows audiences to consume content for free in exchange for receiving these ads. The new regulation therefore holds huge potential implications for this industry. Surveys have shown that the public would rather receive targeted advertising and be able to access free content than to have to pay for content. (Media consumption such as Netflix being an exception where paid-for subscription models seem to be the preference). It wouldn’t be a popular move if the law that’s meant to protect us means we lose access to free content such as news sites which are currently supported by targeted ads.

Industry groups such as the DMA are urging the ICO not to rush decisions or make things too uncompetitive by solely relying on consent, arguing the use of legitimate interest instead of consent for cookies and advertising. They have our back!

These cookies at the event definitely got my consent!

How concerned should we be about purchasing third party data?

“Very”, was the answer from Christine Andrews, MD at DQM GRC on the expert panel. Don’t forget that when you use data for your communications, those comms come from you and your brand so if the recipient is not happy with this usage of their personal data it reflects badly on you, not on the broker you got it from. The data broking industry has tanked since GDPR as most suppliers don’t have the compliance in place even when they think they do. And any company that refuses to disclose where they got the data from should be avoided.

That being said, if you’ve gone through all your checklists such as ensuring the data is up to date and got all the appropriate lawful grounds, transparency, control, and other safeguards in place, then third party data from a reputable organisation can be of great value. Just make sure that when you make your first communication to those data subjects be explicit about your usage of their data and where you got it from to demonstrate further due diligence and transparency.

Can I use data that’s in the public domain for marketing purposes?

First of all it’s worth pointing out that there’s a difference between data being in the public domain and on platforms like LinkedIn which are governed by their own privacy policies which would need checking out.

If you can access personal data freely in the public domain you still need to understand the rights of individuals, such as the right to be informed of the new use you’re making of their data. You need to inform them of any new ways you’re using it and building on it, such as applying further data sets, profiling etc. If you’ve collected data through the public domain then tell the data subjects soon after, such as in your initial communication to them. Provide that information in a privacy notice, of course with the ability to opt out of their data being used in this way.

Can email marketing survive GDPR?

Dean Seddon, is email marketing more trouble than it's worth?

Of course! Since GDPR came into play, marketers have been terrified of what they can or can’t do and a lot of misinformation has been sold. However, GDPR shouldn’t really be something that prevents us from doing anything, unless it’s something we shouldn’t have been doing anyway! Putting the customer or the data subject and their rights first isn’t a new concept, but for some has required a mindset change. Many have adopted the attitude that it’s easier not to bother, but with some thought, it can be done to great effect. Email is still growing and engaging subscribers as one of the most personal and direct lines of communication. With cleaner data lists and less cluttered inboxes since GDPR we can now expect even higher engagement.

As a basic rule, B2B audiences (corporate email addresses) can be marketed to under legitimate business interest but have to be given the option to opt out. B2C or consumer emails must opt in and you can only use legitimate interest for service messages and not marketing ones. It can sometimes be unclear whether your message would count as serving a service or marketing purpose and grey areas and contradictions have cropped up. Dean Seddon, CEO at Maverrik advises that if you’re unsure about any type of data use or email send, check the ICO website or ask them questions directly to get better informed. He also warns to expect misinformed trolls accusing you of doing something illegal either way so you should have a procedure in place for this.

What responsibility does a processor / controller have over their client’s data?

A data processor has shared responsibility over the data and should understand where their client got it from. The share of that responsibility is often determined by huge contracts written up by large corporations to protect themselves and can cause a headache for smaller business and agencies without the same legal support. William Richmond-Coggan, Partner at Pitman’s Law says it is possible to come up with something neutral that strikes a fair balance of responsibility between parties with something as simple as a 3 page doc.

From the client’s point of view they should undertake proper data mapping to fully understand the journey of their data through their suppliers. Even going so far as to visit 3rd parties that handle the data and see first hand what they do with it. They should perform an audit on the organisation and work out who in the business is responsible for sub contractors.

GDPR is all done and dusted now right?

No way! Updates are ongoing and the conversation is still an important and relevant one to be having with customers. Surveys conducted by the ICO show that consumer trust of businesses is getting better but still low at 25% in 2018. This presents a massive opportunity for companies to work on building trust with their customers. Many people still don’t really understand what happens with their data and what their rights are. So in a time where marketers are looking for new ways in which to talk to their audiences this presents a great opportunity to have a new conversation.

DMA presentation about consumer trust of businesses holding their personal data

The next phase of GDPR is empathy and creating an emotional connection reckons Rachel Aldighieri, Managing Director at the DMA. GDPR shouldn’t have been simply tick-box exercise, but an opportunity to engage customers in a new conversation that puts them and their preferences first.

Chris Combermale, Group CEO at the DMA agrees and advises we use GDPR as a catalyst to take a more customer centric view. Take a single client view. Look at all the points of contact you have with your customers. Basically, look at GDPR as an opportunity to have better customer centric marketing.

And my quote of the day from the event?

“GDPR is for life not just for Christmas!”

Christine Andrews, MD at DQM GRC.